Mikroceen
Description
(ESET) In this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities.
Moreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s Vicious Panda against the Mongolian public sector. Also, we discuss other malware that was typically a part of the attacker’s toolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of Kaspersky’s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological notion, but also to have at least phonemic agreement.
Names
| Name | Name-Giver |
|---|---|
| Mikroceen | ESET |
| SixLittleMonkeys | Kaspersky |
Country
Motivation
- Information theft and espionage
First Seen
2017
Observed Sectors
Observed Countries
Tools
Operations
- 2021-03: Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
Information
- https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/
- https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/
- https://securelist.com/microcin-is-here/97353/
Other Information
Uuid
99c03ea2-2c7c-49fc-a513-9f2782b630a7
Last Card Change
2021-04-20